Skip to main content
  1. 2024 /
  2. Posts from May /

Granting User Privilege in Radosgw S3

Stuff I think is interesting, cool, or otherwise worth sharing™️.

So, if you are using Ceph radosgw to provide yourself an S3 endpoint; Good for you!

That’s cool!

… isn’t it?

Except…. well….

How do you make stuff accessible?

Sure, you can use the s3cmd tool, to push and pull assets; but making stuff accessible thru plain http(s) requests can be a bit weird.

While the documentation is …. extensive1, it’s a bit light on explicit ‘how to do the thing’ kinds of information.

I suppose that’s because of how complex it is, in general, but…. that’s neither here nor there.

thru some Digging on Stack Overflow2, in conjunction with the AWS Configuration Examples3, I figured out the following.

hope it helps ya!

To make stuff wide-open, you’d upload a bucket policy to set the bucket permissively:

applying a bucket policy #

  • Suppose your s3 endpoint is dog.wolfspyre.io
  • Suppose your bucket is thebucket
  • Suppose we save the following json file as ‘thebucket_is_wide_open.json’.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:GetBucketWebsite",
        "s3:ListBucket",
        "s3:GetBucketCORS"
      ],
      "Resource": [
        "arn:aws:s3:::thebucket",
        "arn:aws:s3:::thebucket/*"
      ]
    }
  ]
}

okay… cool…. but how does one…. uh… apply this?

the simplest way for most people to do this is with the s3cmd tool, which is configured by an .s3cfg config:

  • Suppose we have our .s3cfg file saved as ‘.s3cfg_thebucket
[default]
#upstream_website_endpoint = http://%(bucket).-%(location)s.amazonaws.com/
#website_endpoint = http://dog.wolfspyre.io/
website_error = error.html
website_index = index.html
host_base = dog.wolfspyre.io
host_bucket = %(bucket).dog.wolfspyre.io
access_key = someNICEl0ngHIGHentropyKeyHere
secret_key = evenLONGERnic3andH1gh3ntropyStr1ngH3R3

Applying it is as simple as:

s3cmd -c ~/.s3cfg_thebucket setpolicy thebucket_is_wide_open.json s3://thebucket

Neat… but now… what if we want to let users USERNAMEA, USERNAMEB, and USERNAMEC write to the bucket as well:

lets save this one as ‘some_users_write-thebucket_is_open.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:GetBucketWebsite",
        "s3:ListBucket",
        "s3:GetBucketCORS"
      ],
      "Resource": [
        "arn:aws:s3:::thebucket",
        "arn:aws:s3:::thebucket/*"
      ]
    },
    {
      "Sid": "AuthorizedFullControl",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:::user/USERNAMEA",
          "arn:aws:iam:::user/USERNAMEB",
          "arn:aws:iam:::user/USERNAMEC"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::thebucket",
        "arn:aws:s3:::thebucket/*"
      ]
    }
  ]
}

s3cmd -c ~/.s3cfg_thebucket setpolicy some_users_write-thebucket_is_open.json s3://thebucket

neat eh?

  1. https://docs.ceph.com/en/reef/radosgw/s3/ ↩︎

  2. https://stackoverflow.com/questions/77146164/how-to-format-ceph-s3-bucket-policy-principal ↩︎

  3. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html ↩︎